Cisco Cisco ASA 5545-X Adaptive Security Appliance - No Payload Encryption Guide De Dépannage
The destination of the packet matches the broad 10.0.0.0/8 route that points back out of the inside
interface toward the router.
interface toward the router.
4.
The ASA verifies if hair pinning traffic is allowed − it searches for same−security permit
intra−interface and finds that it is allowed.
intra−interface and finds that it is allowed.
5.
A connection is built to and from the inside interface and the packet is sent back to the router as a next
hop.
hop.
6.
The router receives a packet destined to 10.255.0.100 on the interface that faces the ASA. The router
checks its routing table for a suitable next hop. The router finds that the next hop would be the ASA
inside interface, and the packet is sent to the ASA.
checks its routing table for a suitable next hop. The router finds that the next hop would be the ASA
inside interface, and the packet is sent to the ASA.
7.
Return to Step 1.
8.
An example is shown here:
This loop occurs until the TTL of this packet decrements to 0. Note that the ASA Firewall does not decrement
the TTL value by default when it processes a packet. The router decrements the TTL as it routes the packet.
This prevents the occurrence of this loop indefinitely, but this loop does increase the traffic load on the ASA
and causes the CPU usage to spike.
the TTL value by default when it processes a packet. The router decrements the TTL as it routes the packet.
This prevents the occurrence of this loop indefinitely, but this loop does increase the traffic load on the ASA
and causes the CPU usage to spike.
Problem: Directed (network) Broadcast Packets Generated
by VPN Clients are Looped on an Inside Network
by VPN Clients are Looped on an Inside Network
This issue is similar to the first problem.. If a VPN client generates a directed broadcast packet to its assigned
IP subnet (10.255.0.255 in the previous example), then that packet might be forwarded as a unicast frame by
the ASA to the inside router. The inside router might then forward it back to the ASA, which causes the
packet to loop until the TTL expires.
IP subnet (10.255.0.255 in the previous example), then that packet might be forwarded as a unicast frame by
the ASA to the inside router. The inside router might then forward it back to the ASA, which causes the
packet to loop until the TTL expires.
This series of events occur:
The VPN client machine generates a packet destined to the network broadcast address 10.255.0.255,
and the packet arrives at the ASA.
and the packet arrives at the ASA.
1.
The ASA treats this packet as a unicast frame (due to the routing table) and forwards it to the inside
router.
router.
2.
The inside router, which also treats the packet as a unicast frame, decrements the TTL of the packet
and forwards it back to the ASA.
and forwards it back to the ASA.
3.
The process repeats until the TTL of the packet is reduced to 0.
4.